среда, 16 января 2008 г.

Yahoo! CAPTCHA is broken

Few months ago we received information that yahoo CAPTCHA recognition system exists in the wild with the recognition rate about 30%. So we decided to conduct few experiments. We explored yahoo CAPTCHA and designed a similar system with even better recognition rate (about 35%). The vendor was notified. The vendor didn't reply. In this article we’ll present you our own research.

Many internet resources that specialize in CAPTCHA recognition claim that yahoo CAPTCHA is very difficult for machine recognition.

However, that’s not right. Your CAPTCHA has vulnerability we’ll discuss later. It’s not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100 000 tries per day, taking into the consideration the price of not automated recognition – one cent per one CAPTCHA.

The implementation of yahoo CAPTCHA recognition engine is here . It consists of two projects (client and server).First project (server) needs MATLAB 2007a Compiler Runtime (MCR) installed. It waits for a connection and receives CAPTCHA, after that it sends recognized CAPTCHA text string back to client. Client reads jpg-files in test1 directory and sends them one by one to the server located on the same machine.

If you have any questions or propositions, please contact us. We’re open to discussions.